Confidentiality & Security
At the Resiliency Program we ensure that your data is kept safe and secure. High standards of physical and technical security are essential to protect the confidentiality of personal data. These include:
Resiliency Program partners with Microsoft Azure to provide our data hosting infrastructure at its SOC 2 Type II and ISO 27001 compliant facilities. Data center facilities are powered by redundant power, each with UPS and backup generators.
Data Center Security
Facilities
Resiliency Program partners with Microsoft Azure to provide our data hosting infrastructure at its SOC 2 Type II and ISO 27001 compliant facilities. Data center facilities are powered by redundant power, each with UPS and backup generators.
On-site Security
Microsoft Azure data center facilities feature a secured perimeter with multilevel security zones, 24/7 manned security, video surveillance, multifactor identification with biometric access control, physical locks, and security breach alarms.
Data Location
Resiliency Program currently leverages Microsoft Azure data centers in the United States and India.
Application Security
S-SDLC
Control over our software development process is key to producing quality software. Security is a critical subset of that quality. That is why all development is done using the Resiliency Program Secure Software Development Lifecycle (S-SDLC) that has been designed and adopted to ensure the software Resiliency Program produces meets compliance requirements and is free of software security defects (to the greatest extent possible) that may expose sensitive data.
Vulnerability Testing
At appropriate stages in the life cycle, vulnerability scans are performed for identification of noncompliance or potential vulnerabilities. At higher-level milestones (the lesser of annually or with any major release), penetration tests are performed at the application level both internally and with a qualified third-party information security expert using both automated and manual testing techniques.
Change Management
Resiliency Program S-SDLC uses an Agile/Scrum process for managing system development activity and has implemented change management and version control software to ensure that all system development changes are sourced from authorized requesters, validated, and prioritized based on business, technical, and security impact. In addition, all changes deployed are tracked for revision control.
Quality Assurance
QA engineers review and test our application both manually and using automated scripts to identify any application and security vulnerabilities.
Separate Environments
Dev, QA, UAT and Production environments are separated physically and logically from each other. No client data is ever used in the development, test and UAT environments.
Security Training
Our principle engineers participate in secure code training covering OWASP Top 10 security flaws, common attack vectors, and Resiliency Program security controls.
Network Security
Protection
Our network is protected by redundant firewalls, best-in-class router technology, secure HTTPS transport over public networks, regular audits, and 24/7/365 Security Operations Center that monitor and/or block malicious traffic and network attacks.
Architecture
Our network security architecture consists of multiple security zones. DMZs are used between the internet, and internally between the different zones of trust.
Data Security
Logical Access
Access to the Resiliency Program databases is restricted by an explicit need-to-know basis, utilizes POLP, and is frequently audited. In addition, employees with such access privileges are required to use multiple factors authentication.
Encryption in Transit
Communications between users and the Resiliency Program is encrypted via industry best-practices HTTPS and Transport Layer Security (TLS 1.2 and above) over public networks.
Encryption at Rest
All user and client data stored with Resiliency Program is encrypted at rest using AES-256 bit algorithm with a block/chunk size of 128 bits.
User Security
Authentication Options
Users can sign into the Resiliency Program application using authenticated credentials. Users are also required to use Multi Factor Authentication for secured sign-in to the application. User provisioning and permissioning is managed by our clients.
Secure credential policy
Resiliency Program provides clients the option to define their password change frequency and repeat policy. Password length and password strength are defined based upon industry best practices. BCrypt algorithm is used to hash and salt passwords securely.
Access Privileges and Roles
Authorized Resiliency Program Users are provided with multi-level permissions based upon user and role credentials. The flexible role-based authorization process is governed by each client to ensure data is secure and only made available to those who require access to it.
Incident response & Disaster
recovery
Security Incident Response
Our security team is on call 24/7/365 to respond to security alerts and events. In case of a system alert, employees are trained on security incident response processes, including communication channels and escalation paths.
Redundancy & Disaster Recovery
Resiliency Program has put in place network redundancies to eliminate single points of failure. Our Disaster Recovery (DR) program ensures that our services remain available or are easily recoverable in the case of a disaster.